The recent cyber attack on the Missouri teachers’ pension fund, the Public School and Education Employee Retirement Systems (PSERS/PEERS), has exposed just how vulnerable some pensions can be when it comes to internet security. With billions of dollars, data, and personal information on the line, pensions are a prime target for cyber criminals. Unfortunately, however, some officials in the pension world may not take necessary proactive steps to best protect their funds.
“I’ve talked to people who said that ‘cybersecurity is a technical issue, and since we outsource technology, it’s not really my problem,’” said Alan Brill, senior managing director of cyber risk at Kroll, who has testified twice to Congress about the cybersecurity of pension funds in the United States.
The hack at the Missouri fund occurred when an employee’s email account was accessed for less than an hour by someone outside the retirement system without authorization. The pension sent a notification to employees and beneficiaries informing them that “personal information may have been potentially exposed to an unauthorized individual.”
Brill says that just because pensions outsource cybersecurity, it doesn’t mean they can sit back and relax worry-free. “That’s 100% wrong. You are responsible for that data,” Brill said.
Instead, Brill recommends that pension funds discuss cybersecurity at board meetings at least a couple times a year. During those meetings, he adds, they should be asking questions such as “‘How would we know if an incident occurred? What is the incident response plan? What are our cybersecurity standards?’” If the pension is employing a third party to handle cybersecurity, he encourages the board to direct these questions to the firm it has hired.
Pensions should also ensure they have some sort of 24/7 monitoring of their networks, as opposed to partial monitoring, Brill added. This means most pensions should use an automatic software program built into the server that will immediately alert a security operations center if something goes wrong. “You can’t simply assume that because you didn’t get broken into last week, you’re probably OK in the future,” Brill said.
US pension funds have only recently received federal guidance on best practices for cybersecurity. The Department of Labor (DOL) released a new set of guidelines for plan sponsors, plan fiduciaries, recordkeepers, and plan participants this April. It was the first time the agency’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidelines.
Related Stories:Missouri Teachers’ Pension Hit by Cyber Attack